Cloud APIs REST Style Guide

Introduction to REST

REST (REpresentional State Transfer) is a distributed computing style formalized by Roy Fielding in his doctoral dissertation. Fielding studied the architectural successes of the web and generalized his findings into a set of design principles that can be applied to other distributed hypermedia systems.

A uniform interface is exposed for all resources (GET, PUT, POST, DELETE etc. in the case of HTTP)

Messages are self-descriptive - i.e. each message contains everything necessary for a stateless server to process it

Hypermedia as the engine of application state (HATEOAS) - state transitions (e.g. changing a resource's state or examining a related resource) is driven by the hypermedia representation of the resource itself

By applying these principles to web services in general, it is hoped that web services will gain some of the desirable properties of the web such as horizontal scalability, de-coupled clients and servers, reduced latency through the use of proxies and real interoperability.

Another very real feature of RESTful APIs are their simplicity and familiarity of use. With any RESTful API, it should be relatively trivial to point a simple client (e.g. curl in a shell script) at a URI for the API and quickly build something useful. This makes a refeshing change from heavyweight middleware frameworks such as CORBA or WS-*.

A Word on HATEOAS

Hypermedia as the engine of application state is one of the REST principles which folks can struggle to get to grips with.

HATEOAS means that the hypermedia guides the clients' interactions. In other words, the hypermedia responses from the API contain links which the client can follow in order to make further requests. This also implies that the URI structure is not part of the API so the client does not manually construct URIs and the server is free to change its URI structure in future.

If you find that you are documenting the URI structure and explaining how clients should construct a URI, you are likely breaking this principle.

Purpose of this Style Guide

This document has two purposes:

Give straightforward answers to some the questions every RESTful API designer gets bogged down in.

The idea is that rather having each of these projects individually trip over the many hurdles associated with RESTful API design, we will collectively address each of the issues and come to some form of rough consensus (gasp!). And hopefully, not only will we save ourselves a few ulsers, but we will also end up with a set of APIs that look somewhat consistent.

This is a wiki, so feel free to edit it. If you want to make a more controversial change, or there is something here you don't like, fire off an email to the rest-practices mailing list.

Guidelines

Each of the below sections tries to advise you, the API designer, on the consensus style for our cloud related APIs.

Where appropriate, there will be link a relevant discussion on the rest-practices mailing list. Where the subject is still under discussion, that will be called out. Where multiple acceptable approaches have been proposed with no great controversy, then the approach which matches any of our existing APIs will be used.

The latter option isn't so great where the identifiers are mapped into programming language identifiers. CamelCase is nice for Java implementations, but lowercase_underscore just looks better in XML/JSON/etc.

Collections

URLs and XML elements for collections are the plural of the resource name e.g.

<departments>
</department>
</department>
<department>

Entry Point

As implied by HATEAOS, each API should strive for a single entry point URI.

Where there is a natural top-level object or collection represented by the API, this can be the resource addressed by the entry point. That resource will then have links with which the client can navigate to all other resources.

In other cases, the top-level URI should merely return an "api" resource with links to the other resources or collection of resources in the API e.g.

The client uses its knowledge of the API's link relation types to decide which URI it needs.

XML Schema

RESTful services should be representation-oriented. This means you should pay close attention to the representation of the service's resources.

The default representation of resources in our APIs is XML. Each API should have an XML schema (or RNG schema) which clients and the server alike can use to validate their XML output in their test suites. Deployed servers should not validate client input using this schema so that newer clients may continue to work with older servers.

In the case of a Java server using JAX-RS, it makes good sense to start with a schema of the representation and use xjc to generate JAX-B annotated classes. This ensures your design focus is on the XML representation rather than the object model in the code.

JSON

YAML

Describe our mapping of YAML to JSON.

Compatibility and Versioning

Once released, all cloud APIs should make an API stability guarantee. Resource representations may be extended, but it must be in a backwards compatibile manner - i.e. old client works with new server.

If at any point in the API evolution a backwards incompatible change must be made, then a new link relation type should be added to support the new incompatible representation and the old relation type should be retained e.g.

FIXME: discuss the option of using content type negotiation based on versioned media types for this.

Documentation

APIs should be documented. Suggest a documentation style.

Identifiers

Resources may typically have three types of identifiers associated with them:

An opaque, server-generated identifier like a UUID. This identifier should be relatively permanent and suitable for clients to store in their own database. Give an entry point URI and this identifier, the client should be able to navigate to the resource.

A URI, which is also opaque and server-generated, but less stable. The server hostname may change, the API entry point may move or the URI structure may change. For these reasons, clients should only use URIs during a single session.

An optional human-readable name, most likely assigned by the user. It should be possible to find the resource using its name, but clients should be aware that the name can be changed at any time by the user.

Some guidelines fall naturally from those observations:

When a server response includes a reference to a resource, the most natural identifier to supply is the URI. However, the primary id could also be supplied for convenience e.g.

Link Headers

It can be useful to use Link headers to expose some links related to a resource in the HTTP headers. This allows clients to obtain those links without parsing the response body and can use a HEAD request to avoid fetching the body at all.

However, they are appropriate only when the entity body can only contain a single link of a given relationship type - e.g. it is probably not appropriate in a response containing a collection of objects.

Also, some clients and servers have difficulty with multiple headers of the same name. To avoid this issue, concatenate multiple Link headers using a comma to separate them.

The draft HTTP Link header specification requires that any custom relations defined by an application by a URI. This is inconvenient, not yet common practice and not fully approved, so we avoid it for now.

To create a new resource, you POST to the collection URI. The URI of the newly created resource is returned using the Location header and, optionally, the representation of the resource is returned in the response body:

Async Operations

Caching

Updates Monitoring

Errors

WADL

Security

The resource representations seen by a given user should depend on what the user has permissions too. Some examples:

There should be no 'reboot' action link in a VM representation if the user does not have permission to reboot that VM

There should be no 'HR' department included in the departments collection if that user does not have permission to view the 'HR' department

Language/Platform Considerations

Most of our APIs are implemented using:

Java, JBoss, JAX-RS, RESTeasy

Ruby, Rails, Sinatra, ActiveResource, ...

REST makes the interoperability question mostly straightforward, but we should be mindful about not making things too awkward for a certain core set of clients:

Shell script using e.g. curl

Java (which client API do we recommend)

Ruby

Python

Java

RESTeasy's Client Proxy Framework has the advantage that the server-side JAX-RS annotated interfaces can be re-used, but this also presents a problem. By using the proxy framework, a client embeds knowledge of the URI structure and, as such, is susceptible to future changes in the URI structure. For that reason, using this framework is discouraged except for quick n' dirty clients that aren't worried about future changes to the API.